Getting started

BMC AMI Enterprise Connector for Illumio is a z/OS resident application that interfaces with the Illumio Policy Compute Engine (PCE) running on a Linux platform. The Illumio PCE collects network data and computes a wide range of centralized network-security-related policies that can be distributed to systems throughout an enterprise network for implementation.

Related topics

Planning

Installing

Configuring-after-installation

EC for Illumio provides z/OS support for a subset of Illumio PCE computed policies.

From an Illumio PCE perspective, z/OS is configured as an unmanaged workload, meaning that there is no full-function Virtual Enforcement Node (VEN) resident on the platform. EC for Illumio downloads PCE computed access control lists (ACLs) which define the permitted IP connectivity.

When EC for Illumio connects to PCE (by using REST API), PCE creates an access control list (ACL) that contains network rules used to define access to the z/OS IP resources via the TCP/IP Policy Agent (PAGENT). EC for Illumio then creates a new PAGENT file for promotion.  Full Enforcement in the PCE user interface indicates the Zero Trust Segmentation (ZTS) model. If a rule allowing access to an IP resource is not defined in the ACL, the z/OS TCP/IP environment refuses the connection. Conversely, in Selective Enforcement mode, EC for Illumio enables selective blocking and allowing rules via the PCE ACL and allows all other traffic.

IP layer connectivity on z/OS is controlled by the IBM Server Policy Agent (PAGENT). Amongst its capabilities, PAGENT supports IP filtering within its IPSEC component through filtering rules that can be extrapolated from the ACLs provided by the PCE.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*